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Problem  Statement 


What  internal  network  topology  data  is 
exposed  to  the  public  Internet? 

•  Use  security  as  a  motivator  for  network 
administrators  to  block  the  traffic 
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Agenda 

Overview  of  Data  Sources 
Data  Analysis 

•  A  queries 

•  PTR  queries 

•  SOA  queries 

•  UDP  UPDATES 

•  TCP  UPDATES 

•  TSIG  names 

Conclusions  and  Future  Work 
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Data  Sources 

DITL  2007  pcaps 
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Data  Sources 


•  DHL  2007  AS1 12  packet  captures 

-NaMeX  (Italy) 

o  51  pcap  files 

o  Jan  8  @  23:00  -  Jan  1 1  @  01 :00 

-WIDE  (Japan) 

o  50  pcap  files 

o  Jan  8  @  23:45  -  Jan  1 1  @  00:00 

—Are  there  any  others  available? 
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Tools 


•  tcpdump 

•  dnsdump  (Duane  Wessels,  John  Kristoff) 

—Some  customization  to  handle  TCP  &  TSIG  records 

•  Perl-fu,  bash-fu 


!ceot 
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Data  Analysis: 

Queries 
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Data  Analysis 

General  approach  was  to  divide  the  traffic  into 
a  few  bins,  extract  features,  and  run  some 
trends 

•  A  queries 

•  PTR  queries 

•  SOA  queries 

•  UDP  UPDATES 

•  TCP  UPDATES 
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A  queries 


•  Clients  asking  blackhole-1  and  blackhole-2  for 
prisoner 

•  Results  are  not  cached 

—Firewall  blocking  reply? 

•  Low  volume,  not  very  interesting 

•  No  further  trending 
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PTR  queries 


dns . qry . type  ==  OxOOOc 

•  Clients  requesting  the  DNS  name  of  an 
RFC1918  address 

•  Simple  queries  sent  to  blackhole-1  and 
blackhole-2 

•  Uniformity  makes  trending  very  easy 

—Packets  are  mostly  81 -88b 
—Outliers  are  a  little  interesting 
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PTR  queries 


dns . qry . type  ==  OxOOOc 

•  Clients  requesting  the  DNS  name  of  an 
RFC1918  address 

•  Simple  queries  sent  to  blackhole-1  and 
blackhole-2 

•  Uniformity  makes  trending  very  easy 

—Packets  are  mostly  81 -88b 

—Outliers  are  a  little  interesting 

•  Not  much  of  interest,  no  further  trending 
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SOA  queries 


(dns .qry . type==0x0006) && 

(dns . flags . opcode==0) 

•  Sent  to  blackhole-1  and  blackhole-2 

•  Clients  looking  for  somewhere  to  send  UPDATES. 

•  Some  request  the  entire  address 

—  SOA  120.130.1 .10. in-addr.arpa 
—  Recursion  not  desired 

•  Some  request  the  block 

—  10. in-addr.arpa 
—  Recursion  desired 

•  Some  have  an  EDNSO  record 


!ceot 
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SOA  queries  (2) 

SOA  Conclusions 

•  Might  be  useful  to  map  out  some  internal 
addresses 

•  Might  help  fingerprint 

•  Further  studies  might  help  understand  more  fully 

•  No  surprises,  still  not  much  of  interest 
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Data  Analysis: 

U DP  UPDATES 
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UDP  UPDATES 


(ip.proto==Oxll) && (dns . flags . opcode==5) 

•  Packets  destined  to  prisoner  (as  expected) 

•  Two  general  formats 
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0  Frame  9161  (128  bytes  on  wire,  128  bytes  captured) 

+  Ethernet  II,  src:  Cisco_2c:78:lc  (00:08:7c:2c:78:lc),  Dst :  Del  1 Pcba_71 : 75 :f 7  (00 : Od : 56 : 71 : 75 :f 7) 
@  internet  Protocol,  Src:  214.13.190.178  (214.13.190.178),  Dst:  192.175.48.1  (192.175.48.1) 

0  User  Datagram  Protocol,  Src  Port:  6615  (6615),  Dst  Port:  domain  (53) 

0  Domain  Name  system  (query) 

Transaction  ID:  0x0762 
0  Flags:  0x2800  (Dynamic  update) 

Zones :  1 
Prerequisites:  0 
updates:  1 
Additional  RRs :  0 


One  zone  SOA  record  in  the  Query  slot 


class  IN 


□  zone 

□  10. i n-addr . arpa :  type  soa 

Name:  10. i n-addr . arpa 
Type:  soa  (start  of  zone  of  authority) 
Class:  IN  (0x0001) 

-  updates 

□  131.100. 87. 10.  i n-addrT'arpa 

Name:  131. 100. 87. 10. i n-addr .  arpa 
Type:  ptr  (Domain  name  pointer) 

Class:  IN  (0x0001) 

Time  to  live:  15  minutes 
Data  length:  15 
Domain  name:  stevecomputer 


One  PTR  UPDATE  record ,  class  IN,  in  the 

type  PTR,  class  IN,  stevecomputer  NS/Ailth  Slot 
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0  Frame  9161  (128  bytes  on  wire,  128  bytes  captured) 

+  Ethernet  II,  src:  Cisco_2c:78:lc  (00:08:7c:2c:78:lc),  Dst :  Del  1 Pcba_71 : 75 :f 7  (00 : Od : 56 : 71 : 75 :f 7) 
@  internet  Protocol,  Src:  214.13.190.178  (214.13.190.178),  Dst:  192.175.48.1  (192.175.48.1) 

0  User  Datagram  Protocol,  Src  Port:  6615  (^fc^.),  Dst  Port:  domain  (53) 

0  Domain  Name  system  (query) 

Transaction  ID:  0x0762 
0  Flags:  0x2800  (Dynamic  update) 

Zones :  1 

0 


(214.13.19 


Gateway  Address 


Prerequi sites 
updates:  1 
Additional  RRs :  0 
□  zone 

□  10. i n-addr . arpa :  type  SOA,  class  IN 
Name:  10. i n-addr . arpa 
Type:  SOA  (start  of  zone  of  authority) 
Class:  IN  (0x0001) 

-  updates 

-  131. 100. 87. 10. i n-addr .  arpa :  type  PTR^  class 
Name:  131. 100. 87. 10. i n-addr .  arpa  ^ 

Type:  ptr  (Domain  name  pointer) 

Class:  IN  (0x0001) 

Time  to  live:  15  minutes 
Data  length:  15 
Domain  name:  stevecomputer 


IN,  stevecomputer 

Private  Address 
Private  Name 
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©internet  Protocol,  Src:  214.13.190.173  £214.13.190 
+  User  Datagram  Protocol,  src  Port:  6303  £6303),  Dst 
-  Domain  Name  system  £query) 

Transaction  ID:  0x9350 
+  Flags:  0x2300  £Dynamic  update) 


173),  Dst:  192.175.43.1  £192.175.43.1) 
Port:  domain  £53) 


/ 


type  soa,  class  in 


Zones  :  1 
Prerequi sites :  1 
updates:  2 
Additional  rrs  :  0 

□  zone 

©  10. i n-addr .  arpa : 

□  Prerequi sites 

©  6. 0. 0. 10. i n-addr . arpa :  type  cname,  class  none 
Name :  6. 0. 0. 10. i n-addr . arpa 
Type:  CNAJ4E  £canonical  name  for  an  alias) 
Class:  NONE  £0x00fe) 

Time  to  live:  0  time 
Data  length:  0 
©  updates 

©  6. 0. 0. 10. i n-addr . arpa :  type  ptr,  class  any 
Name :  6. 0. 0. 10. i n-addr . arpa 
Type:  PTR  £Domain  name  pointer) 
class:  ANY  £0x00ff) 

Time  to  live:  0  time 
Data  length:  0 


One  zone  SOA  record  in  the  Query  slot 


A  CNAME  prereq  in  the  ANS  slot 


First  PTR  update,  class  ANY  in  the 
NS/Auth  slot 


).  0. 10.  i n-addr .  arpa :  type  ptr,  class 


Name :  6. 0. 0. 10. i n-addr . arpa 
Type:  ptr  £Domain  name  pointer) 
Class:  IN  £0x0001) 

Time  to  live:  20  minutes 
Data  length:  25 

Domain  name:  mc4 -36-006. MC4MED. 1 ocal 


mc4-36-006. MC4MED. local 


Second  PTR  update,  class  IN 
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Transaction  ID:  0x9350  ^  _  f  f 

+  Flags:  0x2300  (Dynamic  update)  ~  GdlQWdY  AClClrGSS 

Zones  :  1 
Prerequi sites :  1 
updates:  2 
Additional  rrs  :  0 

□  zone 

©  10. i n-addr . arpa :  type  soa,  class  IN 

□  Prerequi sites 

©  6. 0. 0. 10. i n-addr . arpa :  type  cname,  class  none 
Name :  6. 0. 0. 10. i n-addr . arpa 
Type:  CNAJ4E  (canonical  name  for  an  alias) 

Class:  NONE  (OxOOfe) 

Time  to  live:  0  time 
Data  length:  0 
©  updates 

©  6. 0. 0. 10. i n-addr . arpa :  type  ptr,  class  any 
Name :  6. 0. 0. 10. i n-addr . arpa 
Type:  PTR  (Domain  name  pointer) 
class:  ANY  (OxOOff) 

Time  to  live:  0  time 
Data  length:  0 


).  0. 10.  i n-addr .  arpa :  type  ptr,  class 


Name :  6. 0. 0. 10. i n-addr . arpa 
Type:  ptr  (Domain  name  pointer) 
Class:  IN  (0x0001) 

Time  to  live:  20  minutes 
Data  length:  25 

Domain  name:  mc4 -36-006. MC4MED. 1 ocal 


mc4-36-006. MC4MED. local 


Private  Address 


Private  Name  (and  sometimes  domain) 


'i f  'i r ■  'i r ■  'i r  'i r  L ■ ■  w 


■vf — r-c — — r-c — r^7~ 


LLUUI  ■  LLI 


0060 

61  00 

00 

05 

00 

f  e 

00  00  00 

00 

00 

00 

c0 

21 

00  0c 

0070 

00  ff 

00 

00 

00 

00 

oo  oo  B9 

21 

00 

0c 

00 

01 

00  00 

0030 

|04  b0 

00 

19 

0a 

6d 

63  34  2d 

33 

36 

2d 

30 

30 

36  06 

0090 

|4d  43 

34 

4d 

45 

44 

05  6c  6f 

63 

61 

6c 

001 

| P:  11440  D:  10808  M:  0 


Util-I.ll  IdUUi  I 


10324  2007-01-10  13:56:47.135613  214.1.24.173 
10344  2007-01-10  13:56:52.127340  214.1.24.173 

Ql-10  :  04"rfL«L6%ll 

9642  2007-01-10  13:50:41.333741  214.13.1.46 
9635  2007-01-10  13:50:39.663650  214.13.1.46 


192.175.43.1 

192.175.43.1 


-  i-ruujLui 

132  DNS 
132  DNS 
Dl 


■nwwr.fs: 

192.175.43.1 

192.175.43.1 


3" 

133  DT 
139  DNS 


Dynamic  update  soa  163. 192 . i n-addr . 
Dynamic  update  soa  163. 192 . i n-addr . 

up d gt^  a_  1  iftL  192 .  i  n-addr . 

Lkm  Jfiflt  nn  I  \Jr^ .  i  n-addr . 
rDyWa"il  TpjreftS  ScS^.fejB92 .  i n-addr . 
Dynamic  update  soa  16sfi_92 . i n-addr . 
Dynamic  update  soa  163. 192 . i n-addr . 


;  20 

07-01-10  13:0: 

1:39.193445  214.1. 1C 

XL.  21 

192.175.43.1 

212  DNS 

Dynamic  update  soa  163. 192 . i n-addr . 

updates:  3 
Additional  rrs :  0 

□  zone 

E)  163. 192 . i n-addr . arpa :  type  SOA,  class  IN 

□  Prerequi sites 

□  5 . 16. 163. 192 . i n-addr . arpa :  type  CNAME,  class  NONE 

Name :  5 . 16.163.192 . i n-addr . arpa 

Type:  cname  (canonical  name  for  an  alias) 

Class:  NONE  (OxOOfe) 

Time  to  live:  0  time 
Data  length:  0 

□  updates 

El  5 . 16. 163. 192 .  i  n-addr  .  arpa  :  type  PTR,  class  ANY 
Name :  5 . 16.163.192 . i n-addr . arpa 
Type:  PTR  (Domain  name  pointer) 

Class:  ANY  (OxOOff ) 

Time  to  live:  0  time 
Data  length:  0 

□  5 . 16. 163. 192 . i n-addr . arpa :  type  PTR,  class  IN,  nhgl i spy. nhgl . med 

Name :  5 . 16.163.192 . i n-addr . arpa 
Type:  PTR  (Domain  name  pointer) 

Class:  IN  (0x0001) 

Time  to  live:  20  minutes 
Data  length:  23 

Domain  name:  nhglispy.nhgl.med.navy.mil 
El  5 . 16. 163. 192 .  i n-addr .  arpa :  type  PTR,  class  IN,  nhgl i spy.  nmed.  ds . med 
Name :  5 . 16.163.192 . i n-addr . arpa 
Type:  PTR  (Domain  name  pointer) 

Class:  IN  (0x0001) 

Time  to  live:  20  minutes 
Data  length:  31 

Domain  name:  nhglispy.nmed.ds.med.navy.mil 


Two  class  IN 
UPDATES: 
Walking  up  the 
domain  heirarchy 


0000  00  Od  56  71  75  f7  00  08 

0010  00  c6  79  10  00  00  6e  11 

0020  30  01  10  a7  00  35  00  b2 

0030  00  01  00  03  00  00  03  31 

0040  6e  2d  61  64  64  72  04  61 

n- 1  a  Cl~>  "'J.  riZf  7'-i 


. . vqu. . .  | , X. . . E. 

.  .  y.  .  .  n.  .  0.  .  e.  .  . 
Q....5..  '  j  -  2  (.  .  . 

. 1  63.192. i 

n-addr. a  rpa . 

c  it  it  o  i  m  Th-, 


v 

— 


7c  2c  78  lc  08  00  45  00 
a7  4f  d6  01  65  15  cO  af 
27  6a  b6  32  28  00  00  01 
36  38  03  31  39  32  07  69 
72  70  61  00  00  06  00  01 

-?-)  ri~?  tn  t^-, 


File:  MC: /Documents  and  Settings/sfaber/DeskJtop/step3.pcapM  2031  KB  00:59:59 
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UDP  UPDATE  Form 


Local  Area  Connection  Properties 


20 


Might  relate  to 
assigned  DNS 
suffixes? 


Iceot  t 


General  Authentication 


Internet  Protocol  (TCP/IP)  Properties 


Software  Engineering  Institute  CarnegieMellon 


General  Alternate  fAnfinuratinn 


[B'Bj 


You 
this  c 
the  a 

® 

o 

IP 

Si 


Advanced  TCP/IP  Settings 


® 

o 

Pr 

All 


IP  Settings 


DNS 


WINS  Options 


DNS  server  addresses,  in  order  of  use: 


Add.. 


Edit.. 


Remove 


The  following  three  settings  are  applied  to  all  connections  with  TCP/IF 
enabled.  For  resolution  of  unqualified  names: 

O  Append  primary  and  connection  specific  DNS  suffixes 

Append  parent  suffixes  of  the  primary  DNS  suffix 

©Append  these  DNS  suffixes  (in  order): 

nhgl.ds.med 
nmed.ds.med 


Add... 


Edit... 


Remove 


DNS  suffix  for  this  connection: 


0  Register  this  connection's  addresses  in  DNS 
0  Use  this  connection's  DNS  suffix  in  DNS  registration 


[  OK  ]  Cancel 
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UDP  UPDATES:  Stats 


Unique  Entries 


NaMeX 

402,135 

(18.7%) 

WIDE 

1,743,505 

(81.3%) 

Total 

2,145,226 

Overlap 

414* 

(0.02%) 

No  Domain 

401,977 

(18.7%) 

Gateways 

616,618 

*Overlap: 

204.10.216.0/21  (Education  Co-op  in  Cincinatti)  had  2000+  total  clients;  18% 
(353)  hit  both  NaMeX  and  WIDE  through  one  of  1 1  gateways. 

Also  70.63.30.170  (Roadrunner)  hit  both  NaMeX  and  WIDE  with  various  hosts 


(cekv 
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UDP  UPDATES:  Arrival  Rate 


t-  45,000 

42.500 
40,000 

37.500 
35,000 

32.500 
30,000 

27.500 
25,000 

22.500 

20,000 

17.500 
15,000 

12.500 

10,000 

7.500 
5,000 

2.500 
■  0 


\  Namex  Hourly 

Namex  Cumulative 


Unexpected  errors 
processing  a  few  of  the 
capture  files 
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UDP  UPDATES:  Most  Popular  Gateways 


Clients 

Gateway 

26,285 

65.120.80.8 

15,947 

65.117.145.11 

15,090 

202.21.158.18 

8,796 

210.53.201.160 

6,483 

206.80.195.18 

6,295 

204.228.117.202 

5,831 

202.39.57.251 

5,170 

202.42.255.254 

4,815 

203 . 127 . 180 . 234 

4,202 

66.77.163.198 

Owner 

Qwest  Communications 
Qwest  Communications 
Republic  Polytechnic,  Singapore 
CNCGroup  IP  network,  China 
Qwest  Communications 
WestNet,  Inc,  Boulder,  CO 
Chunghwa  Telecom  Co.,  Ltd.,  Taiwan 
Singapore  General  Hospital,  Singapore 
SingNet  Pte  Ltd,  Singapore 
Qwest  Communications 


^CEKY 
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UDP  UPDATES:  Most  Popular  Private  /24’s 


Clients 

!  11.9%  1 

Private  /24  . 

Clients 

Private  /24 

255,322 

f . 

192.168.1.0/24  J  8.1% 

•* 

j  12,484 

192.168.20.0/24 

174,708 

. 

192 . 168.0.0/24 

12,334 

192 . 168.4.0/24 

48,096 

192 . 168.2.0/24 

12,009 

172.16.1.0/24 

39,811 

10.0.0.0/24 

9,933 

10.5.0.0/24 

36,300 

192 . 168.10.0/24 

9,588 

10.10.10.0/24 

27,710 

192 . 168.100.0/24 

9,166 

192.168.6.0/24 

22,651 

192.168.3.0/24 

9,058 

172 . 16.2.0/24 

17,192 

192 . 168.11.0/24 

8,944 

192 . 168.8.0/24 

15,154 

192.168.5.0/24 

8,642 

10.0.1.0/24 

13,299 

10.1.1.0/24 

8,421 

10.14.36.0/24 

*Rankings  are  nearly  identical  whether  counting  gateways  or  clients  using  a  /24 
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UDP  UPDATES:  Most  Popular  Client  Names 


Count 

Name  J  0.5%  ; 

Count 

Name 

12,187 

/ . 

server 

764 

pc04 

2,430 

admin 

708 

user 

1,691 

serverl 

705 

frontdesk 

1,593 

serverOI 

687 

laptop 

937 

pcOI 

642 

pc05 

836 

pc02 

605 

pc06 

802 

reception 

593 

serve  r2 

802 

pc03 

577 

pell 

785 

toshiba-user 

563 

mail 

785 

computer 

553 

server2003 

Why  so  many  servers?  Are  these  DHCP  servers?  DNS  Servers? 
Gateways? 
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UDP  UPDATES:  Most  Popular  TLD 


Count 

Name  J  20.2%  i 

Count 

Name 

434,106 

local  j  18.7% 

i  24,299 

my 

401,979 

[no  TLDp-':*‘* . 

21,832 

Icl 

376,808 

com 

15,750 

it 

137,814 

tw 

13,119 

corp 

112,570 

us 

10,761 

kr 

97,057 

jP 

7,111 

cn 

82,894 

edu 

6,839 

loc 

82,009 

org 

6,206 

locale 

76,556 

net 

6,043 

int 

46,028 

sg 

5,558 

intra 

!ceot 


Software  Engineering  Institute  CarnegieMellon 


©2007  Carnegie  Mellon  University  28 


Data  Analysis: 

TCP  UPDATES 
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TCP  UPDATES 


( ip . proto==OxO 6 ) 

•  Packets  destined  to  prisoner 

•  Well-formed  TCP  connection 

-SYN,  SYN-ACK,  ACK 
—One  packet  of  data 
-FIN,  ACK,  FIN,  ACK 


Software  Engineering  Institute 


CarnegieMellon 
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TCP  UPDATES  (2) 

•  Part  of  a  larger  conversation 

— UDP  UPDATE  request 
—Three  TCP  UPDATE  attempts 

•  Does  the  TCP  UPDATE  have  additional 
information? 

—Yes,  it’s  actually  sending  a  TKEY  record 
—Again,  there  are  two  general  formats 


Software  Engineering  Institute 
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TCP  UPDATES  the  Microsoft  Way 


Find  authoritative  server 


Client 


Result  (authoritative  server's  name  and  IP  address) 


3 


0 


Local 

Name  Server 


UDP  SOA?  to 
blackhole-1,2 


Attempt  nonsecure  update 


Refused 


TKEY  negotiation  (negotiates  which  security  protocol  to  use) 


TKEY  negotiation  (tells  client  it  will  use  the 
Kerberos  authentication  protocol) 


Attempt  update  with  TSIG 


Reply  (success  or  failure)  with  TSIG 


Attempt  to  update  Active 
Directory  with  LDAP  * 

Reply  /\ 

(success  or  failure)  Active 
with  LDAP  Directory 


UDP  UPDATE 
to  prisoner 

TCP  UPDATE 
to  prisoner  (3 
attempts) 


Source:  Windows  2000  Server  Resource  Kit,  DNS  /  Dynamic  and  Secure  Dynamic  Update,  www.microsoft.com 
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Microsoft  Implementation  Notes 


From  KB  article  816592: 

•  Clients  that  are  running  Windows  Server  2003,  Windows  2000,  or  Windows 
XP  DHCP  interact  with  DNS  dynamic  update  protocol  in  the  following 
manner: 


—  The  client  initiates  a  DHCP  request  message  (DHCPREQUEST)  to  the 
server.  The  request  includes  option  81 . 

—  The  server  returns  a  DHCP  acknowledgement  message  (DHCPACK)  to 
the  client.  The  client  grants  an  IP  address  lease  and  includes  option  81. 
If  the  DHCP  server  is  configured  with  the  default  settings,  option  81  tells 
the  client  that  the  DHCP  server  will  register  the  DNS  PTR  record  and 
that  the  client  will  register  the  DNS  A  record. 

—  Asynchronously,  the  client  sends  a  DNS  update  request  to  the  DNS 
server  for  its  own  forward  lookup  record,  a  host  A  resource  record. 


—  The  DHCP  server  registers  the  PTR  record  of  the  client. 


•  By  default,  Windows  XP  and  Windows  Server  2003  reregister  their  A  and 
PTR  resource  records  every  24  hours  regardless  of  the  computer’s  role. 
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10  2007-01-10  13:01:40.376805  214.1.101.21  192.175.48.1  60  TCP  4271  >  domain  [ACK]  Seq=l  Ack=0  Win=1656C 


8  2007-01-10  13 : 01 : 40. 014815  214.1.101.21 
10  2007-01-10  13:01:40.370305  214.1.101.21 


102 .175.43.1 

102.175.43.1 


02  TCP 
00  TCP 


11 


4271  >  domain  [5YN]  Seq=0  Ack=0  Win=163S4 
4271  >  domain  [ack]  seq=l  Ack=0  win=1656C 


query 


1921175. 41 .W  5IP1P  4271  >  domain  [FIN 

1  TGP  TKEY  Form  I  r  Key  Features 


1163231104  53  0-2 , 


ACK]  Seq=150  Ack =14  | 

]  seq=151  Ack=15  win=l€  v 


L.21J,  Dst: 

DS1 

X 


Ei  Frame  11  (203  bytes  on  wire,  203  bytes  captured) 

+  Ethernet  II,  Src:  ci sco_2c : 73 :1c  (00 : 08 : 7c : 2c : 73 :1c) ,  Dst 
El  internet  Protocol,  5rc:  214.1.101.21  (214.1.101.21),  Dst 
©  Transmission  control  Protocol,  src  Port:  4271  (tt£L),  Dst 
0  Domain  Name  System  (query) 

Length:  147 

Transaction  ID:  0xad3c 
0  Flags:  0x0000  (standard  query) 

Questions:  1 
Answer  RRs :  1 
Authority  RRs :  0 
Additional  RRs:  0 
□  Queries 

0  1163231104530-2:  type  TKEY ,  class  IN 
0  Answers 


1163231104530-2:  type  TKEY,  class  AN\ 


Name:  1163231104530-2 
Type:  TKEY  (Transaction  Key) 
class:  ANY  (OxOOff ) 

Time  to  live:  0  time 
Data  length:  37 

Algorithm  name:  gss.microsoft.com 

Signature  inception:  Jan  10,  2007  13:01:40.000000000 
Signature  expiration:  Jan  11,  2007  13:01:40.000000000 
Mode:  gssapi 
Error:  No  error 
Key  size:  52 
□  Key  Data 
B  NTLMSSP 

ntlmssp  identifier:  ntlmssp 

NTLM  Message  Type:  NT LM S S P_N EGOT I AT E  (OxOOOOOQO: 

0  Flags:  0xe208b297 
E  calling  workstation 
@  calling  workstation  name 
other  size:  0 


:  Del  1 Pcba_71 : 75 :f 7  (00 : Od : 56 : 71 : 75 :f 7) 
192.175.43.1  (192.175.43.1) 

Port:  domain  (53),  seq:  1,  Ack:  0,  Len: 


14  9 


Gateway  Address 


domain:  nmed 

NHGLI SPY 


Workstation  Domain  (Unicode) 
Workstation  Name  (Unicode) 


0050  33  30  2d  32  00  00  f9  00 

0060 
0070 
0030 
0090 
OOaO 
OObO 


30-2 

■.116823 

1104530- 

2 . 

.  .  . W. gss 

. mi croso 

ft . com. E 

.pTE - 

_ 4NTL 

MSSP. . . . 

.  0 . 

.c . 

. NHG 

P:  632  D:  5  M:  0 


v 

~7/ 


10  2007-01-10  13:01:40.376805  214.1.101.21  192.175.48.1  60  TCP  4271  >  domain  [ACK]  Seq=l  Ack=0  Win=1656C 


1  2007-01-03  13:45:37.012301  60.49.139.45 

2  2007-01-03  13:45:37.943969  65.114.23.4 

3  2007-01-03  13:45:37.954399  64.254.67.113 


192.175.43.1 

192.175.43.1 

192.175.43.1 


274  DNS  Standard  query  TKEY  4932  — ms — 7 . 16543-c2f 77 
274  DNS  Standard  query  TKEY  2340-ms-7.  39233-c47f4 


i+i  Frame  4  (274  bytes  on  wire,  274  bytes  captured) 

+  Ethernet  II,  Src:  ci sco_2c : 73 :1c  (00 : 08 : 7c : 2c : 73 :1c) ,  Dst :  Del  1 Pcba_71 : 75 :f 7  (00 : Od : 56 : 71 : 75 :f 7) 

Ei  internet  Protocol,  Src:  72.164.150.170  (72.164.150.170),  Dst:  192.175.43.1  (192.175.43.1) 

©  Transmission  control  Protocol,  src  Port:  37033  (37033),  Dst  Port:  domain  (53),  seq:  0,  Ack :  0,  Len: 
E  Domain  Name  System  (query) 

"  Length:  213 

Transaction  ID:  0x93fl 
B  Flags:  0x0000  (standard  query) 

Questions:  1 
Answer  RRs :  0 
Authority  RRs :  0 
Additional  RRs:  1 
□  Queries 

S  3 3 96-ms -7. 212141-lbcf dba. 7flac75  8-781e-lldb-9  5ae-0013  72  54  54ff :  type  TKEY, 

B  Additional  records 

-  3396-ms-7. 212141-lbcf dba. 7flac753-731e-lldb-95ae-001372 54 54ff:  type  TKEY, 

Name:  3396-ms-7. 212141-lbcf dba. 7flac753-731e-lldb-95ae-001372 54 54ff 
Type:  TKEY  (Transaction  Key) 
class:  ANY  (OxOOff ) 

Time  to  live:  0  time 


220 


TKEY  Query;  Name  looks  like  a  GUID 


class  IN 


class  ANY 


Data  length:  66 
Algorithm  name:  gss-tsig 
Signature  inception:  Jan 
signature  expiration:  Jan 
Mode:  gssapi 
Error:  No  error 
Key  size:  40 
□  Key  Data 
B  NTLMSSP 

ntlmssp  identifier 
NTLM  Message  Type: 

B  Flags:  0xe2083297 

calling  workstation  domain:  null 
calling  workstation  name:  NULL 
other  size:  0 


3,  2007  13:45:37.000000000 
9,  2007  13:45:37.000000000 


TKEY  Algorithm  gss-tsig 


NTLMSSP 

NT LM S S P_N EGOT I AT E  (0x00000001) 


NTLMSSP  Data:  NULL! 


0000 

00 

0d 

56 

71 

75 

T7" 

00 

08 

7c 

2c 

78 

lc 

03 

00 

45 

00 

. . Vqu. . . 

|  ,X.  .  .E. 

0010 

01 

04 

40 

a7 

40 

00 

74 

06 

f  5 

4d 

43 

a4 

96 

aa 

cO 

af 

T. 

.MH . 

0020 

30 

01 

90 

db 

00 

35 

la 

16 

32 

f  e 

97 

43 

e7 

Oe 

50 

13 

LTT 

d 

2.  .  H.  . P. 

0030 

ff 

ff 

ad 

34 

00 

00 

00 

da 

93 

fl 

00 

00 

00 

01 

00 

00 

0040 

00 

00 

00 

01 

09 

33 

33 

39 

36 

2d 

6d 

73 

2d 

37 

Oe 

32 

. 339 

6-ms-7. 2 

0050 

31 

32 

31 

34 

31 

2d 

31 

62 

63 

66 

64 

62 

61 

24 

37 

66 

12141-lb 

cf dba$7f 

0060 

31 

61 

63 

37 

35 

33 

2d 

37 

33 

31 

65 

2d 

31 

31 

64 

62 

lac758-7 

Sle-lldb 

II 


File:  "U : /svn/Net5A-2007-49/domain/lef  tovers . pcap"  4223  KB  00:08:46 


P:  15616  D:  15616  M:  0 


1 

2007-01-03 

13:45 :37. 912301 

60.49.139.45 

192.175.43.1 

274 

DNS 

standard 

query 

TKEY 

4932-ms-7. 16548-c2f 77 

2 

2007-01-03 

13:45 :37. 943969 

65.114.23.4 

192.175.43.1 

74 

TCP 

52352  > 

domai n 

[SYN] 

SMMWBaiHMi  Win=163£ 

3 

2007-01-03 

13:45 :37. 954399 

64. 254. 67.113 

192.175.43.1 

274 

DNS 

standard 

query 

TKEY 

284Q-ms-7. 39288-c47f4 

s±i  Frame  4  (274  bytes  on  wire,  274  bytes  captured) 

+  Ethernet  II,  Src:  ci sco_2c : 73 :1c  (00 : 08 : 7c : 2c : 73 :1c) ,  Dst :  Del  1 Pcba_71 : 75 :f 7  (00 : Od : 56 : 71 : 75 :f 7) 
m  internet  Protocol,  Src:  72.164.150.170  (72.164.150.170),  Dst:  102.175.43.1  (102.175.43.1) 

©  Transmission  control  Protocol,  src  Port:  37033  (37033),  Dst  Port:  domain  (53),  seq:  0,  Ack :  0,  Len: 
□  Domain  Name  System  (query) 

Length:  213 

Transaction  ID:  0x93fl 
El  Flags:  0x0000  (standard  query) 


220 


Questions:  1 
Answer  RRs :  0 
Authority  RRs  :  0 
Additional  RRs:  1 


TKEY  Query;  Name  looks  like  a  GUID 


□  Queries 

E)  3 3 06-ms -7. 212141-lbcf dba. 7flac75  8-781e-lldb-0  5ae-0013  72  54  54ff :  type  TKEY, 

□  Additional  records 

[-  3306-ms-7. 212141-lbcf dba. 7flac753-731e-lldb-05ae-001372 54 54ff:  type  TKEY, 
Name:  3306-ms-7. 212141-lbcf dba. 7flac753-731e-lldb-05ae-001372 54 54ff 
Type:  TKEY  (Transaction  Key) 
class:  ANY  (OxOOff ) 

Time  to  live:  0  time 


class  IN 


class  ANY 


Data  length:  66 
Algorithm  name:  gss-tsig 
Signature  inception:  Jan 
signature  expiration:  Jan 
Mode:  gssapi 
Error:  No  error 
Key  size:  40 
□  Key  Data 
B  NTLMSSP 

ntlmssp  identifier 
NTLM  Message  Type: 

E)  Flags:  0xe2088207 

calling  workstation  domain:  null 
calling  workstation  name:  NULL 
other  size:  0 


3,  2007  13:45:37.000000000 
9,  2007  13:45:37.000000000 


TKEY  Algorithm  gs 


NTLMSSP 

NT  LM  S  S  P_N EGOT I AT  E 


(0x00000001) 


NTLMSSP  Data:  NULL 


0000 

00 

0d 

56 

71 

75 

T7" 

00 

03 

7c 

2c 

73 

lc 

03 

00 

45 

00 

. . Vqu. . . 

|  ,X.  .  .E. 

A 

0010 

01 

04 

40 

a7 

40 

00 

74 

06 

f  5 

4d 

43 

a4 

96 

aa 

cO 

af 

t. 

.MH . 

0020 

30 

01 

90 

db 

00 

35 

la 

16 

32 

f  e 

97 

43 

e7 

Oe 

50 

13 

Lfl 

d 

2.  .  H.  . P. 

0030 

ff 

ff 

ad 

34 

00 

00 

00 

da 

93 

fl 

00 

00 

00 

01 

00 

00 

0040 

00 

00 

00 

01 

09 

33 

33 

39 

36 

2d 

6d 

73 

2d 

37 

Oe 

32 

. 339 

6-ms-7. 2 

0050 

31 

32 

31 

34 

31 

2d 

31 

62 

63 

66 

64 

62 

61 

24 

37 

66 

12141-lb 

cf dba$7f 

0060 

31 

61 

63 

37 

35 

33 

2d 

37 

33 

31 

65 

2d 

31 

31 

64 

62 

lac758-7 

Sle-lldb 

File :  "U : /svn/NetSA-2007-49/domain/leftovers . pcap"  4223  KB  00 : 08 : 46  |P:  15616  D:  15616  M:  0 


TCP  UPDATES:  Stats 


Filter  Expression: 

tcp  port  53  and  dst  net  192.175.48.0/24  and 
greater  68 


TCP  Packets  Processed 
Workstation,  Domain 
tori'VJ'orkstation 
SYN/FIN/RST 
Malformed  Packets 
TSIG  but  no  NTLM 
QR  flag  set 


33,407,149 

28,583,277 

(85.6%) 

4,487,536 

(13.4%) 

336,186 

(1.0%) 

1,331 

(0.0%) 

132 

(0.0%) 

6 

(0.0%) 

!ceot 
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TCP  UPDATES:  Stats  (2) 


Unique  Entries  (gateway,  domain,  workstation) 


Total 

279,916 

NaMeX 

44,286 

(15.8%) 

WIDE 

235,635 

(84.2%) 

Overlap 

5* 

(0.0%) 

Unicode  Domains 

1,099 

(2.4%) 

Unicode  Workstations 

4,675 

(2.6%) 

*Same  sources  as  for  UDP  UPDATES 
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TCP  UPDATES:  Most  Popular  Gateways 


Clients 

Gateway 

Owner 

2,632 

202.42.255.254 

Singapore  General  Hospital 

2,452 

219.81.16.30 

Taiwan  Fixed  Network  CO., LTD. 

2,130 

210.128.214.254 

Nitori  Co.,  Ltd.  (furniture  retailer) 

1,491 

202.214.81.194 

West  Nippon  Expressway  Company  Limited 

1,222 

60.48.15.219 

Telekom  Malaysia  Berhad 

988 

60.48.19.195 

Telekom  Malaysia  Berhad 

799 

66.77.33.167 

Pro  Furniture  Row  LLC 

791 

220.130.69.5 

Chunghwa  Telecom  Co., Ltd  (Taiwan) 

754 

219.188.194.254 

Japan  nation-wide  Network  of  SOFTBANK  BB  CORP 

639 

211.23.62.187 

Chunghwa  Telecom  Co., Ltd  (Taiwan) 

Similar  to  UDP  gateways,  except  more  corporate  networks 
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Client  Workstation  Counts 


Clients 

Domain 

Gateway 

Owner 

1,908 

SGHAD 

202.42.255.254 

Singapore  General  Hospital 

1,483 

WEST 

202.214.81.194 

West  Nippon  Expressway  Company  Ltd 

879 

AMBANKGROUP 

60.48.15.219 

Telekom  Malaysia  Berhad 

780 

FRSALES 

66.77.33.167 

Pro  Furniture  Row  LLC 

768 

CSH 

220.130.69.5 

Chunghwa  Telecom  Co., Ltd  (Taiwan) 

743 

BB 

219.188.194.254 

Japan  nation-wide  SOFTBANK  BB 

697 

AMBANKGROUP 

60.48.19.195 

Telekom  Malaysia  Berhad 

638 

KUOZUI 

211.23.62.187 

Chunghwa  Telecom  Co., Ltd  (Taiwan) 

608 

KUOZUI 

220.130.36.130 

Chunghwa  Telecom  Co., Ltd  (Taiwan) 

602 

KUOZUI 

61.222.92.211 

Chunghwa  Telecom  Co., Ltd  (Taiwan) 

!ceot 


Software  Engineering  Institute  CarnegieMelkm 


©  2007  Carnegie  Mellon  University  42 


Most  Popular  Workstation  Name 


Clients 

Private /24  ..♦*  2.2%  : 

Clients 

Private  /24 

6,065 

. . 

SERVER* 

248 

SERVER2 

873 

SERVER01 

222 

W2KSERVER 

764 

SERVER1 

205 

EXPRESS5800 

329 

SERVER02 

191 

OFFICE 

311 

NTSERVER 

182 

SV01 

299 

SERVER2000 

154 

SV1 

299 

DHCP 

152 

SCOTT 

283 

FILESERVER 

143 

SAPDSVR 

281 

MAIL 

140 

MARK 

273 

BBSM52 

132 

SERVER2K 

!ceot 
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Most  Popular  Domain  Name 


Gateways 

1 1 ,039 

1,961 
670 

593  SEBRING 

547  POLARBEAR 

512  SALEMSCHOOLS 

443  YDOADS 

425  NRCN 

425  MSHOME 

422  EAST  LIVERPOOL 


Private  /24  11-3% 

. 

WORKGROUP 

DOMAIN 

STCHARLES 


*Counts  represent  the  number  of  Gateways  using  a  particular  domain  name 
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Data  Analysis: 

TSIG  Names 
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TSIG  Names:  Two  Formats  (revisited) 


•  Windows  2000 

962072674322-2 

1065151889426-2 

3985729650706-2 

7627861917714-3 

6923487281170-2 

1047972020242-2 

1013612281874-3 

•  Windows  2003/XP 

2988-ms-7 . 61440-19blc78f . 74bae630-9dl3-lldb-61bb-0010180dacbc 
1920-ms-7 . 30789-7f 24b0d . 73103774-9f c7-lldb-5eb2-001321c84d09 
928-ms-7 . 213083-c2aala4 . c9fb0b8a-9f 23-lldb-alb2-0002b3c712be 
3680-ms-7 . 54569-46d9335a . 38cc9ec8-962f-lldb-b6a7-001143d9fb76 
2036-ms-7 . 255072-7d2a7998 . 28bb8cee-8de5-lldb-dlb7-0002a5f 0d4b6 
1332-ms-7 . 42113-3f ld5548 . f481e320-975c-lldb-5b86-0014220c67ee 
3408-ms-7 . 77054-2d821f 07 . d01c7e98-9a0c-lldb-f e80-000bcd9a9627 
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TSIG  Names:  Windows  2000  Format 


•  Arrive  in  triplets 

—Same  root;  one  “-3”  suffix,  then  two  “-2”  suffix 

•  Convert  root  to  hex: 


962072674322 

1065151889426 

3985729650706 

7627861917714 

6923487281170 

1047972020242 

1013612281874 


00E0  0000  0012 
00F8  0000  0012 
03A0  0000  0012 
06F0  0000  0012 
064C  0000  0012 
00F4  0000  0012 
OOEC  0000  0012 


—The  last  for  bytes  do  actually  changed  occasionally 
—Two  bytes  are  not  enough  for  a  fingerprint 
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TSIG  Names:  Windows  2003  Format 


2988-ms-7 .  61440-19blc78f . 74bae630-9dl3-lldb-61bb-0010180dacbc 
1920-ms-7 .  30789-  7f 24b0d . 73103774-9f c7-lldb-5eb2-001321c84d09 
928-ms-7 . 213083-  c2aala4 . c9fb0b8a-9f 23-lldb-alb2-0002b3c712be 
3680-ms-7 .  54569-46d9335a . 38cc9ec8-962f-lldb-b6a7-001143d9fb76 
2036-ms-7 . 255072-7d2a7998 . 28bb8cee-8de5-lldb-dlb7-0002a5f 0d4b6 
1332-ms-7 .  42113-3f ld5548 . f481e320-975c-lldb-5b86-0014220c67ee 
3408-ms-7 .  77054-2d821f 07 . d01c7e98-9a0c-lldb-f e80-000bcd9a9627 


|GUID(?) 

Hexadecimal  timestamp  (?) 


Decimal  sequence  number 
(increments  with  every  request) 


Apparently  unique  to  a  workstation 

Can  the  GUID  be  used  to  uniquely  identify  NATd  machines? 
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TSIG  XP/2003  TSIG  Stats 


TSIG  Names: 

TSIG  Packets  Processed 
Windows  2000  Format 
Windows  XP/2003  Format 


34,651,194 
29,881,014  (86.2%) 

4,768,781  (13.8%) 


XP/2003  GUIDS: 

Unique  GUIDs  1,508* 

GUIDS  with  Multiple  Gateways  64**  (4.2%) 


*  Assuming  the  GUID  is  unique  to  the  machine,  this  equates  to  3162  TSIG 
packets  per  machine  over  48  hours.  With  3  retries  per  update,  each  machine 
retries  roughly  every  3  minutes. 

**  Gateways  addresses  these  GUIDs  were  all  registered  to  the  same  owners. 
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Anomalies 
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Anomalies:  “Spoofed”  Source  Address 

Gateway  (source)  address  within  RFC1918  space 

•  Over  2000  events  in  UDP  UPDATES  alone 

•  The  spoofed  IP  is  not  always  the  same  as  the 
UPDATE 

•  Mostly  SOA,  PTR  queries 

-Some  TCP  SYNs 

—One  set  of  ICMP  “filtered”  replies 

—Even  one  set  of  TCP  data  (TSIG)  packets  (!) 

WIDE  replied  (didn’t  check  NaMeX) 
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6.366713  192 . 168. 1. 6 


2007-01-08  19:11:11.063025  192.168.1.6 


192.175.43.1 


192.175.48.1 


198  DNS 


198  DNS 


standari 


Standari 


Frame-  259  (197  bytes  on  wire,  197  bytes  captured} 

Ethernet  II,  src:  Ci sco_2c : 78 :1c  (00 : 03 : 7c : 2c : 78 :1c} ,  Dst :  Del  1 Pcba_71 : 75 
internet  Protocol,  src:  192.163.1.9  (192.163.1.9},  Dst:  192.175.43.1  (192 

Transmission  Control  Protocol,  Src 


Source  port:  2252  (2252} 

Destination  port:  domain  (53} 
sequence  number:  0  (relative  sequence 


3  (192 . 16£ 


52  (2252},  Dst  Port:  domain 


f 7  (00:0d: 56:71:75 :f7} 
175.43.1} 

(53},  Seq:  0,  Ack :  0,  Len:  143 


Spoofed  Source 

number} 


+ 


[Next  sequence  number:  143 
Acknowledgement  number:  0 
Header  length:  20  bytes 
Flags:  0x0013  (PSH,  ACK} 
window  size:  16872 
— k  sum : 


(relative  sequence  number}] 
(relative  ack  number} 

Bad  Checksum 

OxOaSO  [incorrect ^should  be  0x8635] 


□  Domain  Name  System  (query} 

Length:  141 

Transaction  id:  0x2d08 
+  Flags:  0x0000  (standard  query} 

Questions:  1 
Answer  rrs :  1 
Authority  rrs:  0 
Additional  RRs :  0 
+  Queries 
□  Answers 

-  996432412690-3:  type  TKEY,  class  ANY 
Name:  996432412690-3 
Type:  TKEY  (Transaction  Key} 

Class:  ANY  (OxOOff} 

Time  to  live:  0  time 
Data  length:  33 
Algorithm  name:  gss . mi cro\366qg\274 .  com 
Signature  inception:  Jan  8,  2007  20:02:46.000000000 
Signature  expiration:  Jan  9,  2007  20:02:46.000000000 
Mode:  gssapi 
Error:  No  error 
Key  Size:  48 
□  Key  Data 
□  NTLMSSP 

ntlmssp  identifier:  ntlmssp 


Corrupt  Data 


192.175.48.1 


192.175.48.1 


70  ICMP 


70  ICMP 


Destination  unreac 


Destination  unreacha 


mUEUjUHIIUggi 


©  Frame  143  (70  bytes  on  wire,  70  bytes  captured) 
a  Ethernet  II,  src:  Ci sco_2c : 78 :1c  (00 : 08 : 7c : 2c : 78 :1c) ,  Dst : 

□  internet  Protocol,  src:  192.108.254.2  (192.168.254.2),  Dst 

Version:  4 

Header  length:  20  bytes 

+  Differentiated  services  Field:  0x00  (dscp  0x00:  Default; 

Total  Length:  56 
Identification:  Qx27el  (10209) 

+  Flags:  0x00 

Fragment  offset:  0 

Time  to  live:  242  ^  SDOOfed  SOUTCe 

Protocol  :  ICMP  (0x01)  ^ 

+  Header  checksum:  Qxfl87  [correct] 

Source:  192.168.254.2  (192.163.254.2) 

Destination:  192.175.48.1  (192.175.48.1) 

□  Internet  Control  Message  Protocol 

Type:  3  (Destination  unreachable) 
code:  13  (communication  administratively  filtered) 
checksum:  0x40ce  [correct] 

G  Internet  Protocol,  Src:  192.175.48.1  (192.175.48.1), 

Version:  4 

Header  length:  20  bytes 

+  Differentiated  services  Field:  0x00  (dscp  0x00:  Default;  ecn:  0x00) 
Total  Length:  156 
Identification:  0x6477  (25719) 

+  Flags:  0x00 

Fragment  offset:  0 
Time  to  live:  47 
Protocol :  UDP  (0x11) 

+  Header  checksum:  0x641d  [correct] 
source:  192.175.48.1  (192.175.48.1) 

Destination:  203.98.6.170  (203.98.6.170) 

-  User  Datagram  Protocol,  Src  Port:  domain  (53),  Dst  Port 
source  port:  domain  (53) 

Destination  port:  4911  (4911) 

Length:  136 
Checksum:  0xa838 


Del 1 Pcba_71 : 75 :f7  (00 : Od : 56 : 71 : 75 :f7) 
192.175.48.1  (192.175.48.1) 


ECN:  0x00) 


Dst:  203.98.6.170  (203.98.6.170) 


True  Source 


4911  (4911) 


v 


Anomalies:  “Spoofed”  Source  Address 

Probably  broken  NATs  and  corruption 

•  (or  could  this  be  crafted/malicious?) 

•  Interesting,  but  not  huge 
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Conclusions  and 
Future  Work 
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Data  Extfiltration  via  AS112 


Problem  Statement:  What  internal  network 
topology  data  is  exposed  to  the  public 
Internet? 

•  Gateway  address 

•  Private  Address 

•  Private  Name 

•  Windows  Domain 

•  Windows  Workstation  Name 
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Recommendations 


What  are  the  prioritized  preferred  solutions? 

•  Make  your  DNS  server  authoritative  for  all  RFC1 918 
PTR  zones 

•  Create  site-local  dead-end  SOA  entries  for  RFC1918 
PTR  zones  (?) 

•  Create  site-local  dead-end  DNS  entries  for 
prisoner.iana.org,  blackhole-1, 2. iana.org  (?) 

•  Block  all  outbound  traffic  192.175.48.0/24  (?) 

•  Reroute  AS1 12  traffic  internally  (?) 


Best  Publication  Route? 
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(cert 


Analysis  of  AS112 
Traffic 
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